PDA

View Full Version : How to control user privilege?



appamail@hotmail.com
30 Jan 2010, 3:40 AM
Hello, all

I meet a problem in my project. I do not know how to control which pages a user can see in GXT.

We are able to set the initial according to the user type. But if we use History, and a high privilege user merely log out instead close the browser, a low privilege user can login and directly key the url to visit the forbiden pages, because the history can sent the event which initial before.

Is there any good idea for user privilege control?:-?

terciofilho
31 Jan 2010, 8:45 AM
You must check the user permission before render the page, maybe through a RPC call.

I don't know how you get your page structure, but, before you retrieve it to the user you must assert he/she has privileges.

appamail@hotmail.com
31 Jan 2010, 6:04 PM
You must check the user permission before render the page, maybe through a RPC call.

I don't know how you get your page structure, but, before you retrieve it to the user you must assert he/she has privileges.

Yes, I know that I need to check user premission before render page for him/her, but what I worry is, if a high permission user have login before, then our page have render for him, then he logout. The page is still there, am I right? At this time, a lower permission user login, and use history to visit the pages which he cannot reach. How can I avoid this?

terciofilho
1 Feb 2010, 4:39 AM
When you say Render, you say it by GXT, not a Static HTML page right?

If so, you application must run, and before it "render" your window or something you call a RPC.

appamail@hotmail.com
1 Feb 2010, 6:45 AM
When you say Render, you say it by GXT, not a Static HTML page right?

If so, you application must run, and before it "render" your window or something you call a RPC.

But as I know, if I merely logout(clear the session) and do not refresh the page. The application won't destroy(or say won't re-render again). Am I right? And in this case, the history stack will keep the pages which visited before, unless I closs the browser. Then the visitor can use the history stack to visit the banned page, I am not sure if I am right.

What I can think out to solve this problem is when a user logout, I force him to refresh the page(then the application will re-render) or what is more I force him to close the browser. I wanna know if existed a method to clear the hitory stack?

terciofilho
1 Feb 2010, 6:55 AM
No, the application is run every time. When you select, for example, some entry in your history(Previous page from a Power User) the application that has been cached will run again, but it will run, no just display what was in the screen last time.

That's why I asked you, if it is a Static HTML page, if yes, it will get recovered from cache and displayed.

We are talking about applications, so to be rendered it must be run.

Just to clarify, try entering a example in the Explorer of GXT, and opening a couple of examples. Now close the browser, and open it again. Choose from history your last page, it will open the LAST example opened, but will not the others you opened before, this is a proof that the application has run, not just displayed.

This is true only, and only if before you open, for example, an Window in your application, you make a RPC call to validate this selection.

Your business logic may be in the client, so, it may have all that it need to run, that's why you must assure that you call home before open a privileged window or something.

appamail@hotmail.com
1 Feb 2010, 8:03 AM
Very clear analysis, understood now. Thank you for so detail answer.